Elliptic Curve Lrp

7/31/2019 Elliptic Curve Lrp

1/50

ELLIPTIC CURVECRYPTOSYSTEM

GUIDE

MAJ TS BAINS


2/50

BIBOLOGRAPHY

A.J. Menezes, P.C. van Oorschot, and S.A.

Vanstone, "Handbook of Applied Cryptography", D.R. Stinson, "Cryptography: Theory and

Practice",

D. Johnson and A.J. Menezes, "Elliptic Curve

DSA (ECDSA): An Enhanced DSA", Certicomwhitepaper, March 1997.

Certicom Corp., "An Introduction to InformationSecurity", Certicom whitepaper, number 1, March

1997. N. Koblitz, "Elliptic curve cryptosystems",

Mathematics of Computation, number 48, pages203-209, 1987.


3/50

CRYPTOSYSTEM CONFIDENTIALITY - CONCEALMENT OF DATA

FROM ALL BUT AUTHORIZED PARTIES. USER AUTHENTICATION - ASSURANCE THAT THE

PARTIES INVOLVED IN A REAL-TIMETRANSACTION ARE WHO THEY SAY THEY ARE.

DATA ORIGIN AUTHENTICATION - ASSURANCE OF

THE SOURCE OF A MESSAGE. DATA INTEGRITY - ASSURANCE THE DATA HAS

NOT BEEN MODIFIED BY UNAUTHORIZEDPARTIES.

NON-REPUDIATION - THE BINDING OF AN ENTITY

TO A TRANSACTION IN WHICH IT PARTICIPATES,SO THAT THE TRANSACTION CANNOT LATER BEREPUDIATED. THAT IS, THE RECEIVER OF ATRANSACTION IS ABLE TO DEMONSTRATE TO ANEUTRAL THIRD PARTY THAT THE CLAIMEDSENDER DID INDEED SEND THE TRANSACTION.


4/50

ELLIPTIC CURVE

IN 1985, NEIL KOBLITZ AND VICTOR MILLERINDEPENDENTLY PROPOSED THE ELLIPTIC CURVECRYPTOSYSTEM (ECC),

1997 ACCEPTED.

SECURITY RESTS ON THE DISCRETE LOGARITHMPROBLEM OVER THE POINTS ON AN ELLIPTIC CURVE.

ECC CAN BE USED TO PROVIDE BOTH A DIGITALSIGNATURE SCHEME AND AN ENCRYPTION SCHEME.

AN ELLIPTIC CURVE OVER REAL NUMBERS MAY BEDEFINED AS THE SET OF POINTS (X ,Y) WHICH SATISFYAN ELLIPTIC CURVE EQUATION


5/50

ELLIPTIC CURVE

AN ELLIPTIC CURVE, DEFINED OVER MODULOPRIME P, IS THE SET OF SOLUTIONS (X,Y) TOAN EQUATION OF THE FORM OF A FINITE FD ZP

y2= x3+ ax+ b (mod p)

FOR TWO NUMBERS a AND b. a,b Z

(a,b) SHOULD SATISFY 4a3 +27b2 =0 (mod p)


6/50

Let p= 23

elliptic curveE: y2

= x3

+ x +1definedover Z23.

a= 1 and b =1 4a3+27b2 =4 +4 = 8 , so

Eisindeed an elliptic curve. QR{ 1, 2 ,3 ,4, 6, 8 ,9 ,12,13,16,18}

An Example


7/50


8/50


9/50

The points in E(Z23) are and the following:

(0,1) (0, 22) (1, 7) (1, 16)

(3, 10) (3, 13) (4, 0)

(5, 19) (5, 4) (6, 4) (6, 19)

(7, 11) (7, 12) (9, 7) (9, 16)

(11, 3) (11, 20) (12, 19) (12, 4)

(13, 16) (13, 7) (17, 3) (17, 20)

(18, 3) (18, 20) (19, 5) (19, 18)


10/50

SUGGESTED SCOPE

ELLIPTIC CURVE FINITE FD F(P) WHERE P IS PRIME NO


11/50

PROBLEM AREAS

RESIDUAL OF POLYNOMIAL

QUADRATIC RATIO OF POLYNOMIAL. KNOWLEDGE OF C++


12/50

TIME SCHEDULE


13/50

SCOPE

CHOOSE A ELLIPTIC CURVE OVER

A GALIOS FIELD OF HIGHER ORDER F(2p150)

DEVP OF SW FOR ADDITION TWO PTSOVER

EC OF GIVEN MODULO.

DEVP OF SW FOR ENCRYPT & DECRYPT

USING ECC. GENRATE A PAIR OF PUB & PVT KEY

ENCRYPT A MSG

ECC FOR AUTHENTICATION


14/50

ECC TOPICS TO BE UNDERSTOOD

ELLIPTIC CURVE

DLP

FINITE FD GALIEOS FIELD

QUDRATIC RATIO

RESIDUAL OF A POLYNOMIAL DISCREATE ALOG FACTORISATION

ELIPTIC CURVE CRYPTOSYSTEM

C++


15/50

ELLIPTIC CURVES:-

An Elliptic curve over a field Zp is the set of points

(x,y) with x,y Zp which satisfy the equationY2 = x3 + ax +b

Together with a single element denoted by 0 and

called the point at infinity.

R

-R = (P + Q)

PQ

Assumption :-1. If P is a point at infinity 0,

thenP to be 0 and P+Q = Q,

ie 0 is additive identity (zeroelement)

2. If P = (x,y), thenp = (x-y)

ie.(x, y) = (x, -y)

x same - .


16/50

3. If P and Q have different x-coordinates, then

the line PQ intersects the curve exactly at onemore point R, and

P + Q = -R (mirror image = -R)

4. If Q = -P, P +Q =0

(ie. Q has same x buty)

5.

If P=Q, then let l be tangent line to the curve at P


17/50

ELLIPTIC CURVES CRYPTOSYSTEM (ECC) :-

Let p > 3 be prime. The elliptic curve y2 = x3 +ax +b

Over Zp is the set of solutions (x,y) Zp x Zp to thecongruence

y2 x3 +ax +b (mod p)Where a, b Zp are constants such that4a3 + 27b3 0 (mod p),Together with a special point 0 called point at infinity

Let P = (x1 y1), Q = (x2 y2)

P + Q = R = (x3, y3)X3 = 2 - x1x2Y3 = (x1- x3)y1


18/50

= y2y1x2x1

, if P Q

3x12 + a

2y1, if P = Q


19/50

Ex :- Let EC be y2 = x3 +x + 6 over Z111. Determine thepoints on E, for this by looking

at each possible x Z11

computing x3 +x + 6

mod 11 is a quadratic residue by applying rulers

criterion.

quadratic residue y2 a mod 11x = 0, y2 = 6x = 1 y2 = 8

x = 2 y2 = 5

x = 3 y2 = 3

x = 4 y2 = 8

x = 5 y2 = 4 QR11x = 6 y2 = 8

x = 7 y2 = 4

x = 8 2 = 9

(= 23 + 2 +6 mod 11

= 8+8 mod 11=5)( = 32 + 3 + 6

= 27 +3 +6 =36)

QR11


20/50

x = 9 y2 = 7

x = 10 y2 = 4 QR11

QR (11) = {1, 3, 4, 5, 9}

12 = 1 mod 11

22 = 4 mod 11

32

= 9 mod 1142 = 16 mod 11= 5

52 = 25 mod 11= 3

62 = 36 mod 11= 3

72 = 49 mod 11= 5

82 = 64 mod 11= 9

92 = 81 mod 11= 4

102

= 100 mod 11= 1

QR (11) = { 2, 6 ,7, 8, 10 }


21/50

* Explicit formula to compute square roots of

quadratic residue mod p for primes p 3 (mod 4)

* By this formula,We have square roots of a quadratic residue Z are

= z (11+1)/4 mod11 = z 1 2/4 mod 11

= z 3 mod 11

* Let x =2, y2 = 5 mod 11

y = 53 mod 11= 125 mod 111

= 4 mod 11+ve = 4

-ve = -4 mod 11 = 7

* Points (x, y) (2,4)(2,7)

z (p+1)/4 mod p


22/50

x = 3, y2 = 3 mod 11

y = 33 mod 11= 27 mod 11= 5

+ve = 5-ve = -5 mod 11 = 6

Points (x, y) (3, 5), (3, 6)

* P i h lli i 2 3 6


23/50

* Points on the elliptic curve y2 = x3 +x + 6

over mod 11. Ie over Z11* Remember 4a3 + 27b3 0 mod 11

Here a = 1, b = 6

4.13 + 27.63 0 mod 114 + 5.3 0 mod 11

* P +12 p # E p +1 + 2 p# No. of point on EC.

* Any point other than point at infinity is a generator

of E, if it has prime no. of points.Let = (2, 7)Is this a generators

Ie. 2, 3, 4-------------- must be points on EC


24/50

* 2 = (2, 7) + (2, 7)= 3x12 + a if P = Q

2y1

(3.22 +1) (12 +1) 2

2.7 14 3

=2 x 4 = 8 (mod11)

2p = p + p

= = = 2 x 3-1

22 = (5,2)

X3 = 2x1- x2 8222 = 5

Y3 = (x1x2)y1 8 (2-5)-7 =2


25/50

* Similarly 3 = 2 + =(5,2) + (2,7)

P + Q = y2y1 if P Qx2x1

X3 = 2x1x2Y3 = (x1- x3)y1X3 = 2252 mod 11

= 8

Y3 = 2(5-8)-2 mod 11= 3

3 = 81 3

=7-2

2-5

= 5-3

= 5 x 8-1

=5 x 7=2


26/50

x X2+x+6mod11

In QR(11)? Y Points onEC

0 6 no

1 8 no

2 5 yes 4, 7 (2, 4)(2,7)

3 3 yes 5, 6 (3, 5) (3,6)

4 8 no

5 4 yes 2, 9 (5, 2) (5,9)

6 8 no

7 4 yes 2, 9 (7, 2) (7,


27/50

MenezesVastone ECC(1993):-

* Journal of Cryptology, 6 (1993) pp 209-214

* IEEE Trans. on IT, 39,(1993) pp 1639 - 1646(1) Let E be an elliptic curve over Zp, P>3 and

prime such that E contains a cyclic subgroup H

in which in which discrete log prob.isintractible.

(2) Let P = Zp* x Zp

*

C = E x Zp*

x Zp*

andK = {(E, , a : = a )}where E.

(3) and are publicand a is secret


28/50

(4) For K = ( E, , a, ), for a secret randomNumber k Z|H| and for x = (x1, x2) Zp*x Zp*

(5) Define ek (x1 k) = (y0 y1 y2)pt.

(6) For a cipher text y

y = (y0, y1,y2)Define

dk(y) = (y1 c1-1 mod p, y2 c2

-1 mod p)

Where ay0 =(C1, C2)

Note :- (i) x = (x1, x2) Zp*x Zp*

is not a point on E.

(ii) k a secret random number

Z|H|

y0 =k(c1, c2) =k[=ax]y1 =c1x1 mod p

y2 =c2x2 mod p


29/50

MenezesVanstone ECC basd on E1 Gamal

Encryption Scheme

Plaintextx(9,1)

chooses

random(k)= 6

Cipher textya secret key(a)

=7

y0 = (7, 9)

y1 = 6

y2 = 3

Y =(y0, y1,y2)

(E, , )

= a

Bs public key

A B

SENDERRECEIVER


30/50

X EC

X = (x1, x2) point

X Zp*x Zp*

Zp* - field

Prime, p > 3

= (2, 7)generator of EC or

Primitive elements of

Computes (y0 y1 y2)y0 = k.y1 = c1x1 mod p

y2

= c2x

2mod p

Kobnitz (1987)

Miller (1986)

Menzes (1993)

Menzes- vaustone

1993MOV (1994)

B computes

(c1, c2) = a y0

Secret of B

(c1,c2) = a.y0 (7.9)

y0

EC(--,--)

(8, 3)

c1 = 8, c2 = 3

X = (y1c1

-1 mod p,

y2c2-1 mod p)

= (9,1)

(9, 1)


31/50

E1 Gamel Encryption using EC:-

Let = (2, 7) and Bs Secret (key) exponent is

, so = 7. = (7, 2)a = 7 By ECC7p = kp Point onEC

Sender Ax1k Receiver B a1y

Now A wants to encrypt the plaintext x = (x1,x2)

= (9,1), where x is not a point on E and chooses the

random value k = 6.

A computes y0 = k = 6 (2,7) = (7,9)and k= 6 (7,2) = (8,3)

= (c1 c2)

so c1 = 8 and c2 = 3

Ne t A calc lates ( ) c mod p 8 9 mod11


32/50

Next A calculates (y1) = c1x1 mod p = 8 x 9 mod11

= 6

and (y2) = c2x2 mod p = 3 x 1 mod 11

= 3Thus cipher-text A sends is

y = (y0, y1, y2) = [(7, 9), 6, 3 ]

When B receives the ciphertext y,B computes (c1, c2) = a y0 = 7 (7, 9) = (8, 3)

And then x = (y1 c1-1 mod p, y2 c2

-1 mod p)

= (6 x 8-1

mod 11, 3 x 3-1

mod 11)= (6 x 7 mod 11, 3 x 4 mod 11)

= (9, 1)

Hence the decryption yields the correct plaintext.

ELLIPTIC CURVES:


33/50

ELLIPTIC CURVES:-

An Elliptic curve over a field Zp is the set of points

(x,y) with x,y Zp which satisfy the equationY2 = x3 + ax +bTogether with a single element denoted by 0 and

called the point at infinity.

R

-R = (P + Q)

PQ

Assumption :-1. If P is a point at infinity 0,

thenP to be 0 and P+Q = Q,

ie 0 is additive identity (zeroelement)

2. If P = (x,y), thenp = (x-y)

ie.(x, y) = (x, -y)

x same - .


34/50

3. If P and Q have different x-coordinates, then

the line PQ intersects the curve exactly at onemore point R, and

P + Q = -R (mirror image = -R)

4. If Q = -P, P +Q =0

(ie. Q has same x buty)

5.

If P=Q, then let l be tangent line to the curve at P

ELLIPTIC CURVES CRYPTOSYSTEM (ECC)


35/50

ELLIPTIC CURVES CRYPTOSYSTEM (ECC) :-

Let p > 3 be prime. The elliptic curve y2 = x3 +ax +b

Over Zp is the set of solutions (x,y) Zp x Zp to thecongruence

y2 x3 +ax +b (mod p)Where a, b Zp are constants such that

4a3 + 27b3 0 (mod p),Together with a special point 0 called point at infinity

Let P = (x1 y1), Q = (x2 y2)

P + Q = R = (x3, y3)X3 = 2 - x1x2Y3 = (x1- x3)y1


36/50

= y2y1x2x1

, if P Q

3x12 + a

2y1, if P = Q

E L t EC b 2 3 6 Z


37/50

Ex :- Let EC be y2 = x3 +x + 6 over Z111. Determine thepoints on E, for this by looking

at each possible x Z11 computing x3 +x + 6mod 11 is a quadratic residue by applying rulers

criterion.

quadratic residue y2 a mod 11x = 0, y2 = 6x = 1 y2 = 8

x = 2 y2 = 5

x = 3 y2 = 3

x = 4 y2 = 8x = 5 y2 = 4 QR11x = 6 y2 = 8

x = 7 y2 = 4

x = 8 2 = 9

(= 23 + 2 +6 mod 11

= 8+8 mod 11=5)( = 32 + 3 + 6

= 27 +3 +6 =36)

QR11

x = 9 y2 = 7


38/50

x = 9 y2 = 7

x = 10 y2 = 4 QR11

QR (11) = {1, 3, 4, 5, 9}12 = 1 mod 11

22 = 4 mod 11

32

= 9 mod 1142 = 16 mod 11= 5

52 = 25 mod 11= 3

62 = 36 mod 11= 3

72 = 49 mod 11= 582 = 64 mod 11= 9

92 = 81 mod 11= 4

102

= 100 mod 11= 1

QR (11) = { 2, 6 ,7, 8, 10 }


39/50

* Explicit formula to compute square roots of

quadratic residue mod p for primes p 3 (mod 4)

* By this formula,We have square roots of a quadratic residue Z are

= z (11+1)/4 mod11 = z 1 2/4 mod 11

= z 3 mod 11

* Let x =2, y2 = 5 mod 11y = 53 mod 11

= 125 mod 111

= 4 mod 11+ve = 4

-ve = -4 mod 11 = 7

* Points (x, y) (2,4)(2,7)

z (p+1)/4 mod p


40/50

x = 3, y2 = 3 mod 11

y = 33 mod 11= 27 mod 11= 5

+ve = 5-ve = -5 mod 11 = 6

Points (x, y) (3, 5), (3, 6)

* Points on the elliptic curve y2 = x3 +x + 6


41/50

* Points on the elliptic curve y = x +x + 6

over mod 11. Ie over Z11* Remember 4a3 + 27b3 0 mod 11

Here a = 1, b = 64.13 + 27.63 0 mod 114 + 5.3 0 mod 11

* P +12 p # E p +1 + 2 p# No. of point on EC.

* Any point other than point at infinity is a generator

of E, if it has prime no. of points.Let = (2, 7)Is this a generators

Ie. 2, 3, 4-------------- must be points on EC

* 2 (2 7) (2 7)


42/50

* 2 = (2, 7) + (2, 7)= 3x12 + a if P = Q

2y1

(3.22 +1) (12 +1) 2

2.7 14 3

=2 x 4 = 8 (mod11)

2p = p + p

= = = 2 x 3-1

22 = (5,2)

X3 = 2x1- x2 8222 = 5

Y3 = (x1x2)y1 8 (2-5)-7 =2


43/50

* Similarly 3 = 2 + =(5,2) + (2,7)

P + Q = y2y1 if P Qx2x1

X3 = 2x1x2Y3 = (x1- x3)y1X3 = 2252 mod 11

= 8

Y3 = 2(5-8)-2 mod 11= 3

3 = 81 3

=7-2

2-5

= 5-3

= 5 x 8-1

=5 x 7=2

2


44/50

x X2+x+6mod11

In QR(11)? Y Points onEC

0 6 no

1 8 no

2 5 yes 4, 7 (2, 4)(2,7)

3 3 yes 5, 6 (3, 5) (3,6)

4 8 no

5 4 yes 2, 9 (5, 2) (5,9)

6 8 no

7 4 yes 2, 9 (7, 2) (7,


45/50

MenezesVastone ECC(1993):-

* Journal of Cryptology, 6 (1993) pp 209-214

* IEEE Trans. on IT, 39,(1993) pp 1639 - 1646(1) Let E be an elliptic curve over Zp, P>3 and

prime such that E contains a cyclic subgroup H

in which in which discrete log prob.isintractible.

(2) Let P = Zp* x Zp

*

C = E x Zp*

x Zp*

andK = {(E, , a : = a )}where E.

(3) and are publicand a is secret


46/50

(4) For K = ( E, , a, ), for a secret randomNumber k Z|H| and for x = (x1, x2) Zp*x Zp*

(5) Define ek (x1 k) = (y0 y1 y2)pt.

(6) For a cipher text y

y = (y0, y

1,y

2)

Define

dk(y) = (y1 c1-1 mod p, y2 c2

-1 mod p)

Where ay0 =(C1, C2)

Note :- (i) x = (x1, x2) Zp*x Zp*is not a point on E.

(ii) k a secret random number

Z|H|

y0 =k(c1, c2) =k[=ax]y1 =c1x1 mod p

y2 =c2x2 mod p

Menezes Vanstone ECC basd on E1 Gamal


47/50

MenezesVanstone ECC basd on E1 Gamal

Encryption Scheme

Plaintextx(9,1)

chooses

random(k)= 6

Cipher texty

a secret key(a)

=7

y0 = (7, 9)

y1 = 6y2 = 3

Y =(y0, y1,y2)

(E, , )

= a

Bs public key

A B

SENDER

RECEIVER

X EC B t


48/50

X EC

X = (x1, x2) point

X Zp*x Zp*

Zp* - field

Prime, p > 3

= (2, 7)generator of EC or

Primitive elements of

Computes (y0 y1 y2)y0 = k.y1 = c1x1 mod p

y2

= c2

x2

mod p

Kobnitz (1987)

Miller (1986)

Menzes (1993)

Menzes- vaustone

1993

MOV (1994)

B computes

(c1, c2) = a y0

Secret of B

(c1,c2) = a.y0 (7.9)

y0EC(--,--)

(8, 3)

c1 = 8, c2 = 3

X = (y1c1

-1 mod p,

y2c2-1 mod p)

= (9,1)

(9, 1)

E1 G l E ti i EC


49/50

E1 Gamel Encryption using EC:-

Let = (2, 7) and Bs Secret (key) exponent is, so = 7. = (7, 2)

a = 7 By ECC7p = kp

Point onEC

Sender Ax1k Receiver B a1y

Now A wants to encrypt the plaintext x = (x1,x2)= (9,1), where x is not a point on E and chooses the

random value k = 6.

A computes y0 = k = 6 (2,7) = (7,9)and k= 6 (7,2) = (8,3)

= (c1 c2)

so c1 = 8 and c2 = 3

Next A calculates (y1) = c1x1 mod p = 8 x 9 mod11


50/50

Next A calculates (y1) c1x1 mod p 8 x 9 mod11

= 6

and (y2) = c2x2 mod p = 3 x 1 mod 11

= 3Thus cipher-text A sends is

y = (y0, y1, y2) = [(7, 9), 6, 3 ]

When B receives the ciphertext y,B computes (c1, c2) = a y0 = 7 (7, 9) = (8, 3)

And then x = (y1 c1-1 mod p, y2 c2

-1 mod p)

= (6 x 8

-1

mod 11, 3 x 3

-1

mod 11)= (6 x 7 mod 11, 3 x 4 mod 11)

= (9, 1)

Hence the decryption yields the correct plaintext.

Date post:	05-Apr-2018
Category:	Documents
Upload:	nirbhaya-sharma
View:	242 times
Download:	0 times

Elliptic Curve Lrp

Documents